Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.[1] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.
| ID | Name | Description |
|---|---|---|
| S0606 | Bad Rabbit |
Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.[2] |
| S0266 | TrickBot |
TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1046 | Boot Integrity |
Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. |
| M1026 | Privileged Account Management |
Prevent adversary access to privileged accounts or access necessary to replace system firmware. |
| M1051 | Update Software |
Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0001 | Firmware | Firmware Modification |
System firmware manipulation may be detected.[4] Log attempts to read/write to BIOS and compare against known patching behavior.